hi, i have deployed my application in tomcat and used a userPrincipal named newprinc. I set lifeTime for this user 15 minutes and renewal life 30 minutes in kdc using following command
modprinc -maxlife 15minutes -maxrenewlife 30minutes +allow_renewable newprinc@REALM
but my ticket is not renewing and in tomcat logs, debug logs is showing following:
Client Principal = newprinc@REALM Server Principal = hbase/hdp006.domain@REALM Session Key = EncryptionKey: keyType=18 keyBytes (hex dump)= 0000: 95 D4 01 47 C5 21 E0 94 A7 A8 61 8F DC AC 6E 36 ...G.!....a...n6 0010: 9A 1B F9 2B D8 F3 0D AC 77 E4 9D 6D 92 89 04 07 ...+....w..m.... Forwardable Ticket true Forwarded Ticket false Proxiable Ticket false Proxy Ticket false Postdated Ticket false Renewable Ticket false Initial Ticket false Auth Time = Mon Jan 09 20:18:31 IST 2017 Start Time = Mon Jan 09 20:29:39 IST 2017 End Time = Mon Jan 09 20:33:31 IST 2017 Renew Till = null Client Addresses Null >>> KrbApReq: APOptions are 00100000 00000000 00000000 00000000 >>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType Krb5Context setting mySeqNumber to: 36204827 Created InitSecContextToken:
Please let me know why Renewable Ticket is set to false
Hello @priyanshu bindal,
The renewable flag and renewable time is the function of :
1. User principal's renewable flag
2. krbtgt (or service) principal's renewable flag
3. KDC's global renewable setting in kdc.conf file
From the output above, you have given renewable permission to 'newprinc'. But the output describes a service ticket (TGS) not initial ticket (TGT).
Can you please run the following and paste the output here:
2. kinit newprinc
3. klist -eaf
Above should tell more clearly about state of your newprinc.
Hope this helps !